[Dnsmasq-discuss] Shellshock.

Roy Marples roy at marples.name
Thu Oct 2 15:28:25 BST 2014


On 2014-09-29 20:17, Simon Kelley wrote:
> On 27/09/14 11:01, Roy Marples wrote:
>> On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
>>> This is just a heads-up that if you're using the --dhcp-script option 
>>> in
>>> dnsmasq, and the script you're calling is being interpreted by bash,
>>> then you're affected by the shellshock bug.
>>> 
>>> The bug allows execution of arbitrary code contained in the values of
>>> environment variables, and there are several variables in the
>>> environment inherited by the DHCP script whose values can be set
>>> directly by a DHCP client, so any DHCP client on your network (or
>>> elsewhere, if your firewall allows) can execute arbitrary shellcode,
>>> probably as root, with a simple DHCP request.
>>> 
>>> The fix, of course, is to update bash.
>> 
>> What's your reason for not sanitising the variables?
>> 
>> I just released dhcpcd-6.4.7 which fixes this exact issue. I changed 
>> from
>> using my custom sanitiser to svis(3) with VIS_CSTYLE | VIS_OCTAL and 
>> the
>> output can be decoded using unvis(1).
>> Oddly enough this encoding matches the style dhcpcd was using 
>> previously which
>> is a nice win for me.

In the cold light day after shellshock I've come to the conclusion that 
you're right am I'm wrong.
Admittedly I was swayed by a SUSE security report which dealt with badly 
quoted shell scripts which addressed the issue by introducing some 
sanistisation into dhcpcd and I went from there.

Now, dhcpcd just sanistises according to the option encoding. So as most 
string options specify ASCII NVT dhcpcd will ensure that's what you get, 
stopping at the first invalid or non printable character. There are 
other encoding types such as domain, ascii, raw and binhex which will 
satisfy everything hopefully.
No more shell sanitising!

Roy



More information about the Dnsmasq-discuss mailing list